Am 16.11.2010 14:02, Cihula, Joseph wrote: >> From: Jan Kiszka [mailto:[email protected]] >> Sent: Tuesday, November 16, 2010 6:23 PM >> >> Am 16.11.2010 05:48, Wang, Shane wrote: >>> Avi Kivity wrote: >>>> On 11/14/2010 12:41 PM, Jan Kiszka wrote: >>>>> Am 14.11.2010 11:30, Avi Kivity wrote: >>>>>> On 11/14/2010 11:18 AM, Jan Kiszka wrote: >>>>>>> From: Jan Kiszka<[email protected]> >>>>>>> >>>>>>> Without CONFIG_INTEL_TXT, the user must not enable this feature >>>>>>> in the BIOS. Otherwise, KVM will not work. Explain this >>>>>>> dependency via a kernel log message. >>>>>>> >>>>>>> Signed-off-by: Jan Kiszka<[email protected]> >>>>>>> --- >>>>>>> arch/x86/kvm/vmx.c | 7 ++++++- >>>>>>> 1 files changed, 6 insertions(+), 1 deletions(-) >>>>>>> >>>>>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c >>>>>>> index 9367abc..ebafd57 100644 >>>>>>> --- a/arch/x86/kvm/vmx.c >>>>>>> +++ b/arch/x86/kvm/vmx.c >>>>>>> @@ -1306,8 +1306,13 @@ static __init int >>>>>>> vmx_disabled_by_bios(void) && tboot_enabled()) >>>>>>> return 1; >>>>>>> if (!(msr& FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX) >>>>>>> -&& !tboot_enabled()) +&& !tboot_enabled()) { >>>>>>> +#ifndef CONFIG_INTEL_TXT >>>>>>> + printk(KERN_INFO "kvm: if TXT is enabled in the >>>>>>> bios, " + "kvm depends on >>>>>>> CONFIG_INTEL_TXT\n"); +#endif return 1; >>>>>>> + } >>>>>>> } >>>>>>> >>> Why do we need this? >>> If TXT is enabled in the bios, it doesn't mean TXT is launched but TXT is >>> available. >>> tboot_enabled() = TXT is launched. And non-CONFIG_INTEL_TXT means >>> tboot_enabled() = 0. >>> If you enable VT in bios, FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is set. >> >> Probably, this patch is based on my semi-understanding of TXT. What I >> observe is that, when I enable TXT in the BIOS of my machine, kvm-intel >> does not load and report VT-x being disabled at BIOS level. As my >> kernels had CONFIG_INTEL_TXT disabled, I thought that was the reason. >> >> However, it turned out that >> A) FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX is _not_ set here when TXT >> is enabled in the BIOS >> B) enabling CONFIG_INTEL_TXT does not magically solve the issue, KVM >> still does not work >> >> The latter appears to be related to the fact that I do not actually have >> a trust chain from the BIOS over the boot loader to the kernel. So >> tboot_addr is not set and tboot_enabled remains off. I guess I need some >> trusted grub or so to get this running, maybe even more. Still, I'm >> unsure if that will give me VT-x support back again. Can you comment on >> the requirements and mechanisms behind that? > > The setting of the FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX when TXT is > enabled is up to each OEM. Intel's original guidance was to clear this flag, > to prevent a Blue Pill type of attack on an un-measured OS launch. Intel has > since change our guidance to set this flag even when TXT is enabled, in order > to allow for dual boot and late launch uses of TXT along with VT. > >> In any case, what we should catch is the user mistake of enabling TXT in >> the BIOS blindly without actually needing it, disabling VT-x this way. >> How to express this? > > It is probably worth a warning/guidance message to the user that, if this > condition is detected, they should either disable TXT in the BIOS or activate > TXT before enabling KVM.
So the condition to issue the warning is FEATURE_CONTROL_LOCKED && !FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX? Independent of tboot_enabled or precisely in that branch I targeted, just without CONFIG_INTEL_TXT? Out of curiosity: Who would enable TXT, and how, so that VT-x becomes usable again? The trusted boot loader (like tboot)? Jan -- Siemens AG, Corporate Technology, CT T DE IT 1 Corporate Competence Center Embedded Linux -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
